Using DNS Logs As a Security Information Source :
Occasionally this list is used as part of research into malware and domain security. Please drop us a note if you find such a reference in an article or presentation; if you are the author, let us know.
Two papers we’ve become aware of:
Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games - http://www.cc.gatech.edu/~ynadji3/docs/pubs/gzaraid2011.pdf
A Demonstration of DNS3: a Semantic-Aware DNS Service – http://iswc2011.semanticweb.org/fileadmin/iswc/Papers/PostersDemos/iswc11pd_submission_106.pdf
The zone and text files are ONLY be available from a mirror and are no longer be available
on the main site. All requests for files on www.malwaredomains.com will be directed to
our main mirror, mirror1.malwaredomains.com.
MalNET serves as a low interaction HTTP server which responds with a ’200 OK’ for every request. When a malware attempts to retrieve http://bad.malwaredomain.com/som/bad/file.exe, MalNET basically says ‘yep, OK, here it is’ and then does nothing. To make this work you will need to run some sort of blackhole DNS setup in your environment such as the one on offer from malwaredomains.com. Once you have traffic redirected to your MalNET host, you should be able to see what the malware is trying to download.
Today, we’re happy to announce Google Safe Browsing Alerts for Network Administrators — an experimental tool which allows Autonomous System (AS) owners to receive early notifications for malicious content found on their networks. A single network or ISP can host hundreds or thousands of different websites. Although network administrators may not be responsible for running the websites themselves, they have an interest in the quality of the content being hosted on their networks. We’re hoping that with this additional level of information, administrators can help make the Internet safer by working with webmasters to remove malicious content and fix security vulnerabilities.
To get started, visit safebrowsingalerts.googlelabs.com.
Nice article on SANs:
For example when seed data pulled from Malware Domains is correlated with passive DNS and ASN data, then visualized, it is possible to see how the majority of the authoritative nameservers are hosted in the same network block. This dependence indicates an investment by the aggressor into a particular hosting company and can provide an effective network-level block at relatively low cost. As always, be aware of potential collateral damage when blocking a network portion that may also contain legitimate IP hosting space.
Websense has an eye-opening writeup on how some malware is now using ARP cache-poisoning and making the infected machine into an HTTP proxy server. Poof! Your entire network is poisoned! Castlecops has a writeup from someone in China who has experienced this first hand: Machines which are declared clean by multiple AV products still suffer from the IFRAME. Yikes!
Dancho Danchev.’s blog lists several domains full of exploits, using “comprehensive multiple IFRAMES loading campaigns”:
8v8 (dot) biz uc147 (dot) com 070808 (dot) net qx13 (dot) cn sbb22 (dot) com uuzzvv (dot) com 55189 (dot) net 749571 (dot) com jqxx (dot) org mm5208 (dot) com 68yu (dot) cn 2365 (dot) us loveyoushipin (dot) com yun878 (dot) com xks08 (dot) com
In better news, shadowserver reports that the 17 Storm Worm domains including i-halifax.com and i-barclays.com, appears to have all been placed in a status of “NOT DELEGATED” over at nic.ru, preventing A records from being returned when looking up the domains. (Some of the other holiday-related Storm Worm domains still have their NS record.)